Coordinate response to xz-utils (DSA 5649-1)
Hi,
how should we react to the compromised xz-utils upload?
Ubuntu is reverting their amd64 binaries to pre-Feb 25 and rebuilding
stuff.
On Debian side AFAIU currently amd64 buildds are paused and pending
reinstall (plus rotation of key material, both OpenPGP and SSH).
People are starting to investigate packages that have been built since
the compromised xz-utils was uploaded, including packages built for
stable suites using reproducible builds. Is there someone keeping track
of this?
Should we also reset the archive to some prior state and rebuilt
packages like Ubuntu? Do we need to revert to an earlier date as
vulnerable versions have been uploaded to experimental on 2024-02-01
(but the earlier version might only have corrupted test files, not the
payload enabler)? If so, which suites and which architectures? (This
will likely take a while to prepare.)
Do we need any other immediate actions?
Should we use something other than mail to keep track of what we want
to do? (Mail threads can become hard to keep track of after all.)
(Let us please keep future improvements such as more isolated builds
out of this particular discussion.)
Ansgar
Reply to: